Blogging on random thoughts on Cyber Security, Privacy and IT Risk Management issues.

Wednesday, March 5, 2014

Why I like the new NIST Framework. It is simple and doesn't cover anything.

Ever since the new NIST Cyber Security framework came out,
it has caused a lot of discussion in cybersecurity and IT Risk management
circles. (Officially named ‘Framework for Improving Critical Infrastructure Cybersecurity’)

Some people opined that this is a step in the right
direction and thanked the NIST, the DHS and the C(3) community for all of their
volunteer work.

My opinion is that the NIST framework is a step in the right
direction. ISO27000, NIST-800-53 or CoBIT are large and comprehensive and designed to
be that way. I believe the NIST
framework can be used to compliment the larger systems of controls as well as present
a more understandable snapshot to upper management.

Let’s look at ‘Framework’.
A Framework is not a bridge. It
is not a building, it is not even a platform.
The NIST framework isn't a bridge to compliance, we are not building
cybersecurity controls with it, and it isn't even a platform to hold up or
support an existing or proposed solution.

It is a framework.
Small, light, and is designed to eventually support the bridge,
building, platform and controls that you layer on top of it. Smaller companies may only have time and
resources to bolt a couple of controls on to it.

The NIST framework will allow the IT Risk/CyberSecurity
group to provide concise periodic feedback to upper management. Sending a CoBIT Gap analysis document, or
ISO2700x report to the CEO or CFO might look impressive, 750 pages of your
finest work, months of collecting statistics, documents and measuring controls
and their effectiveness, but this collection of three rings binders will do
nothing but collect dust. You already
know that. They won't read it and you
will be frustrated.

I am not saying you should not do this work. If you have
selected CoBIT/RiskIT, ISO27000 or NIST-800-53, it is my opinion that the NIST
framework can also be used to distill your findings, gaps, risks, vulnerabilities,
exposures and controls in a smaller, easier to grasp concept. “And it is government approved”.

Lastly, my only worry is that this framework will be used
INSTEAD of a more comprehensive system - that it will be used as an excuse, or
as the only basis for measuring the effectiveness of your Cyber Security
controls.